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meee) ater Risk description Risk Appetite 
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1 01/04/17 R4 Capacity and Capability: (Cause) Risk that Infrastructure 
increasing demand, public and stakeholder and resources 
expectations, and/or additional unplanned 
work and/or reduced availability of staff 
results in (Threat) key resources being 
overstretched and having insufficient capacity, 
capability, knowledge and/or skills to deliver 
all business plan requirements, (Impact) 
resulting in business operational issues and 
pinch points, possible failure to deliver 
regulatory priority activities and impacting 
upon the ICO’s ability to deliver all of its 
intended objectives and outcomes. 


2 30/04/19 R73 Compliance culture: (Cause) Risk that as Organisational 
demand and capacity increase and/or changes,} controls and 
the ICO’s infrastructure and accountability compliance 
culture is unable to (Threat) keep up with the 
pace of change to comply with legal and other 
obligations expected of a modern regulator 
(Impact) impacting upon its ability to maintain 
and increase public trust and be an effective 
and knowledgeable regulator. 
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3 30/07/18 R46 |Financial Resilience: (Cause) Risk that 
sensitivities in the income growth forecast and 
new territories of expenditure (threat) create 
inaccurate financial forecasting and planning 
assumptions (impact) leading to insufficient 
funding or over-funding and financial stress 
and impacting the ICO’s reputation, its ability 
to meet its statutory requirements, and full 
delivery of all of its intended IRSP goals and 
outcomes. 

4 06/04/20 R84 |Major Incident: (Cause) Risk that an internal or 
external major incident occurs (e.g. extreme 
weather, fire incident, chemical incident, 
pandemic (e.g. Covid-19), or deliberate 
incidents such as terrorist acts) which renders 
the ICO unable to utilise part or all of its 
resources and infrastructure (such as staff, 
buildings, IT systems etc) such that (Threat) the 
ICO is unable to deliver some, or in extreme 
cases all of its regulation services, (Impact) 
increasing public information rights risk for a 
period of time and resulting in a reduced 
achievement of the IRSP Goals over the longer 
period. 
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Risk description 


Managing ICO Reputation: (C) Risk that 
decisions are taken without giving due 
consideration to the strategic reputational 
impact on the ICO (T) such that action is not 
taken at the right time to proactively and 
effectively manage the reputation of the ICO 
(I) impacting upon the ICO’s ability to increase 
public trust and confidence, provide excellent 
public service and to demonstrate that it is an 
effective and knowledgeable regulator. 


Regulatory Action: (Cause) We do not 


a case, have flawed or ineffective processes 
and/or decision-making that mean (threat) we 
take disproportionate, inappropriate, or no 
action against an organisation (impact) which 
allows poor information rights practices to 
continue and/or proliferate and damages the 
ICO’s credibility as a regulator to enforce the 
laws, increase the public’s trust and confidence 
in how data is used, and maintain and develop 
influence within the information rights 
regulatory community 


Statutory Codes: (Cause) Risk that significantly 
complex and contentious subject matter (e.g. 
economic impact), alongside competing 
stakeholder audience expectations slows the 
drafting and implementation of Statutory 
Codes of Practice such that (Threat) the ICO is 
unable to deliver the Codes within required 
timescales and to the desired quality through 
the eyes of external stakeholders (Impact) 
impacting negatively on the ICO’s reputation 
and relevance as a regulator to deliver across 
all stakeholders, decreasing its public trust, 
influence and effectiveness. 
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Litigation Resource: (Cause) Risk that multiple 
or a single significant legal challenge or trend 
emerges (Threat) diverting significant financial 
and non-financial resources into possibly 
lengthy legal disputes (Impact) impacting upon 
the ICO’s ability to legally defend itself which 
could have a domino effect on its decision 
making, its financial resilience, its reputation as 
an effective regulator and diluting its 
operational ability to achieve all of its IRSP 
goals. 


R88 |Future role and structure of the ICO: (Cause) 
Government led reviews of the role of the 
future data protection regulatory framework, 
and of the ICO’s role, governance and remit, or 
internally-driven organisational restructures, 
(Threat) lead to organisational and stakeholder 
uncertainty or staff change fatigue (Impact) 
impeding the ability of the ICO to regulate with 
maximum efficiency and effectiveness and 
deliver all of its strategic objectives and 
priorities 


Staff Wellbeing and Welfare: (Cause) Risk that 
the ongoing pandemic and lockdown 
arrangements have a detrimental impact upon 
the physical, emotional and mental wellbeing 
of staff such that (threat) capacity may be 
reduced, as staff are less engaged or able to 
perform at their best at a time of increasing 
demand resulting in (impact) possible business 
operational issues and pinch points with 
possible failure to deliver priority activities to 
expected levels. 


Risk Appetite 
area 


Infrastructure 
and resources 


Organisational 
change and 
development 


Organisational 
change and 
development 


Risk appetite} Current Current | Current Target Target 
Probability | Impact | Overall Probability | Impact 
priority 


Target 
Overall 
Priority 


Risk Register 


“pee 


i 


i 


Risk description 


SMEs: (Cause) Risk that the ICO does not 
sufficiently recognise and act on the needs of 
small organisations such that the ICO (Threat) 
does not provide SMEs with value for money 
relevant services resulting in (impact) low 
levels or awareness, poor trust and 
information rights practices from SMEs 
impacting upon the ICO’s delivery of the IRSP 
goals around increasing public trust and 
confidence, improving standards of practice 
and being an effective regulator. 
International position: (Cause) The uncertain 
global context in which ICO operates (in 
particular the UK’s future global relationships 
with and outside the EU and implications of 
the Covid19 pandemic) lead to (threat) the ICO 
failing to develop and maintain effective 
international relationships or effectively 
deliver aspects of its domestic regulatory role, 
thereby reducing opportunities to develop 
global collaborative DP approaches on policy, 
tech and interoperability and (Impact) 
meaning the ICO is unable to maintain and 
develop influence within the global 
information rights regulatory community, 
increase public trust and confidence and 
improve standards of information rights. 


Compensation: (Cause) The ICO is unable to 
award compensation to complainants unlike 
other ombudsman services. As a consequence, 
(Threat) consumers go to an ombudsman 
scheme where compensation can be awarded, 
(impact) so the ICO is not seen as a relevant 
regulator and fails to capture data about these 
breaches. 
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Targeted Regulatory Activity: (Cause) we do 
not have effective processes and practices in 
place to take a robust risk-based prioritisation 


do not target our work to the most important 
and impactful areas of harm (impact) meaning 
that we miss opportunities to correct poor 


work does not effectively align to deliver all of 
the IRSP goals. 


R81 |Management Board Resilience: (cause) 
Management Board and Executive Team 
capacity and resilience (threat) may not be 
sufficient to retain clarity of leadership and 
direction during a critical period of change to 
the regulatory landscape (impact) resulting in 
delay to the achievement of the IRSP goals and 
operational, regulatory and organisational 
priorities 


Improving Productivity: (Cause) Risk that 
growth in the ICO’s investment in 
infrastructure, people and process resources 
(Threat) is not effectively utilised to reduce 
contradictory and duplication of efforts, 
minimise delivery gaps, exploit new business 
models and maximise best use of ICO 
resources such that (Impact) whilst the ICO 
grows it does not improve efficiency and 
productivity and is no better placed to achieve 
the ICO’s IRSP goals and corporate outcomes. 


approach to our regulatory work (threat) so we 
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17 01/04/18 R21 Cyber Security: (Cause) Risk that although the Security 2 4 
ICO is continuously vigilant with its cyber 
security controls that as the ICO’s profile 
increases and it innovates with new 
technology systems, (Threat) it becomes 
increasingly at risk of a security breach, either 
malicious or inadvertent from within the 
organisation or from external attacks by cyber- 
criminals. (Impact) This could result in many 
negative impacts, such as distress to 
individuals, legal, financial and serious 
reputational damage to the ICO, possible 
penetration and crippling of the ICO’s IT 
systems preventing it from delivering its 
regulatory functions and IRSP goals 
1 


06/04/20 R86 Political and Economic Environment: (Cause) Regulatory 
Risk that the ICO doesn't have the plans or the | guidance and 
ability to respond to changes in the economic strategy 
climate, government policy or to government 
attitudes and reviews, meaning that the ICO 
doesn't (Threat) adapt and flex quickly enough 
or in the right way to meet changing 
stakeholder views and needs (Impact) 
preventing the achievement of the IRSP goal to 
be an effective and efficient regulator. 
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